Overview:
Fast food restaurant chain Chick-fil-A is investigating recent suspicious activity on customers’ accounts.
Technical Summary:
Popular American fast food chain Chick-fil-A has conducted a recent investigation on suspicious activity they observed to be linked to some of its customer’s accounts. The alert was brought to their attention Friday and was spotted by security researcher Dominic Alvieri.
Chick-fil-A customers’ accounts were breached around Christmas time and were hijacked and used to buy food in widespread attacks. Also, the accounts were being breached due to a widespread credential-stuffing attack.
Even the accounts that were stolen are being sold between $2-$200 depending on the account balance, linked payment method, or Chick-fil-A One points (This is the food chain points reward system). Social networks have also been flooded with customer reports saying their accounts have been hacked and emptied.
Attack Tactics, Techniques & Procedures:
Initial Access (TA0001)
- Valid Accounts (T1078)
Impact (TA0040)
- Data Manipulation (T1565)
- Data Destruction (T1485)
Credential Access (TA0006)
- Unsecured Credentials (T1552)
- Brute Force (T1110)
- Exploitation for Credential Access (T1212)
Reconnaissance (TA0043)
- Gather Victim Identity Information (T1589)
Resource Development )TA0043)
- Compromise Accounts (T1586)
- Compromise Infrastructure (T1584)
Persistence (TA0003)
- Account Manipulation (T1998)
- Valid Accounts (T1078)
Privilege Escalation (TA0004)
- Exploitation for Privilege Escalation (T1068)
Discovery (TA0007)
- Account Discovery (T1087)
Affected Assets and Organizational Impact:
Threat actors are selling users’ accounts online for affordable prices. The initial attack vector is caused by a credential-stuffing attack. This means users could’ve had other non-related accounts breached and since they used the same password for their Chick-fil-A accounts the threat actors were able to gain access to them.
Some users have gone to social media to discuss the incident and they stated their accounts were drained as well as their reward points. This attack can have serious revenue repercussions for users due to having their payment information exposed and stolen during the attack.
Mitigation and Response:
Chick-fil-A has a support page for their One Membership Program. This customer support website provides potentially affected users with details on what to do if they notice unusual activity on their accounts or if their reward points were redeemed for gift rewards.
Users are also advised to change their passwords immediately and to ones that aren’t the same as other accounts and that are unique and complex. They should also remove any stored payment methods such as credit and debit cards from their accounts.
Since the incident took place Chick-fil-A has disabled the creation of new accounts and banned the use of disposable email addresses, requiring threat actors to use legitimate email services for hijacking accounts.
Sincerely,
Dominic Alegrete
#CyberXE #CyberLeadersStartHere